A round of Santa-plause for everyone who managed to solve challenge 1 of our puzzle!
Hopefully you’re not sick of unwrapping presents, as the PAD team has one more gift for you: Challenge 2.
Don’t forget to follow our Twitter: @PADtech_team and join our Discord: https://discord.gg/E2A4AfVr … Yule not be sorry!
Challenge 2 Details
Because we were just hacked by those of you who solved challenge 1, we have decided to re-key.
Our new public key is
h = 75510971883087663591701901438676157301580390162370281086763801811083530012385
We now are going to prove knowledge of the secret key associated with h, which is the discrete log of h to the base g (namely h = gx). We will use a Schnorr ZK proof, which has the following structure:
The prover chooses a random value r from G and commits to it by sending t = gr to the verifier.
The verifier responds with a challenge value c chosen randomly from G.
The prover sends to the verifier s = r + cx.
The verifier accepts if and only if gs = t * hc.
We run a Schnorr ZK proof, and as the verifier you see the following transcript:
Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717
Challenge value: 21217313341520279359841291908598942829253213559939161591405075035133032243307
Response: 29511709109214253695057140435219327643129720016531218179722110339900600154187
You decide to request yet another proof of knowledge from us. The transcript of this execution is:
Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717
Challenge value: 10882468452441661286548616348307372754238857894764013328524497676555360540782
Response: 35223818631641012707338557887187517850120109862932150055814843879213174655442
You notice a flaw in our ZK implementation and use it to reconstruct our secret key. What is it?
Comments